* software flaws in application architecture
@ 2013-09-27 13:08 Eryndlia Mavourneen
2013-09-27 16:15 ` Adam Beneschan
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Eryndlia Mavourneen @ 2013-09-27 13:08 UTC (permalink / raw)
In this article at:
http://searchsecurity.techtarget.com/opinion/Opinion-Software-insecurity-software-flaws-in-application-architecture#!
the authors make the claim that languages other than C and Java have just as many flaws (like buffer overflow in C). Is there a language lawyer who could add a comment to the article regarding Ada?
-- Eryndlia (KK1T)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: software flaws in application architecture
2013-09-27 13:08 software flaws in application architecture Eryndlia Mavourneen
@ 2013-09-27 16:15 ` Adam Beneschan
2013-09-27 17:35 ` Per Sandberg
2013-09-28 18:22 ` Brad Moore
2 siblings, 0 replies; 4+ messages in thread
From: Adam Beneschan @ 2013-09-27 16:15 UTC (permalink / raw)
On Friday, September 27, 2013 6:08:09 AM UTC-7, Eryndlia Mavourneen wrote:
> In this article at:
>
>
>
> http://searchsecurity.techtarget.com/opinion/Opinion-Software-insecurity-software-flaws-in-application-architecture#!
>
>
>
> the authors make the claim that languages other than C and Java have just as many flaws (like buffer overflow in C). Is there a language lawyer who could add a comment to the article regarding Ada?
I wouldn't make too much of this. You could make some sort of argument that you've counted and there are only 62.12% (or whatever) as many flaws in Ada that could lead to security bugs as there are in C, but it's really beside the point. Their wording was sloppy. The overall point, that software has bugs in it that can pose security problems, and their "architectural risk analysis" process can help find those early, is true regardless of what language is used. Most of the flaws are things that no language can prevent.
One thing that Ada *does* suffer from is deallocation problems, in which an allocated object is deallocated while a pointer to it still exists. My impression is that this is still the cause of lots of security vulnerabilities, probably more than buffer overflow by now. Ada doesn't prevent those problems, although it does make it possible to encapsulate things in controlled types to reduce the chance of this occurring (C++ also has features that make this possible).
But anyway, the article isn't about languages. I think they're just trying to tell people that you can't stop worrying about security just because you're using Java or some language other than C, and it's a valid point.
-- Adam
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: software flaws in application architecture
2013-09-27 13:08 software flaws in application architecture Eryndlia Mavourneen
2013-09-27 16:15 ` Adam Beneschan
@ 2013-09-27 17:35 ` Per Sandberg
2013-09-28 18:22 ` Brad Moore
2 siblings, 0 replies; 4+ messages in thread
From: Per Sandberg @ 2013-09-27 17:35 UTC (permalink / raw)
http://ironsides.martincarlisle.com/ is a working sample.
/Per
On Fri, 27 Sep 2013 06:08:09 -0700 (PDT)
Eryndlia Mavourneen <eryndlia@gmail.com> wrote:
> In this article at:
>
> http://searchsecurity.techtarget.com/opinion/Opinion-Software-insecurity-software-flaws-in-application-architecture#!
>
> the authors make the claim that languages other than C and Java have
> just as many flaws (like buffer overflow in C). Is there a language
> lawyer who could add a comment to the article regarding Ada?
>
> -- Eryndlia (KK1T)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: software flaws in application architecture
2013-09-27 13:08 software flaws in application architecture Eryndlia Mavourneen
2013-09-27 16:15 ` Adam Beneschan
2013-09-27 17:35 ` Per Sandberg
@ 2013-09-28 18:22 ` Brad Moore
2 siblings, 0 replies; 4+ messages in thread
From: Brad Moore @ 2013-09-28 18:22 UTC (permalink / raw)
On 27/09/2013 7:08 AM, Eryndlia Mavourneen wrote:
> In this article at:
>
> http://searchsecurity.techtarget.com/opinion/Opinion-Software-insecurity-software-flaws-in-application-architecture#!
>
> the authors make the claim that languages other than C and Java have just as many flaws (like buffer overflow in C). Is there a language lawyer who could add a comment to the article regarding Ada?
>
> -- Eryndlia (KK1T)
>
You might want to check out the publically and freely available
technical report ISO/IEC TR 24772 produced by ISO/IEC JTC 1/SC22/WG23
entitled;
Information technology - Programming languages - Guidance to avoiding
vulnerabilities in programming languages through language selection and use.
standards.iso.org/ittf/PubliclyAvailableStandard/c061457_ISO_IEC_TR_24772_2013.zip
It describes various software vulnerabilities including buffer overflow.
It also includes annexes for specific languages that describes how each
vulnerability applies to that language, as well as how to avoid that
vulnerability in that language.
Each language has its own set of vulnerabilties, and a particular
vulnerability may be more prone to happen in one language than in
another, in possibly different ways.
The set of annexes includes Ada, C, Python, Ruby, SPARK, PHP.
It is hoped that future revisions of this technical report will include
other languages.
Brad Moore
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-09-28 18:22 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-09-27 13:08 software flaws in application architecture Eryndlia Mavourneen
2013-09-27 16:15 ` Adam Beneschan
2013-09-27 17:35 ` Per Sandberg
2013-09-28 18:22 ` Brad Moore
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox